AskCyberSecurity.com

Cyber Security News & Information

AskCyber Home » News » News » REvil Ransomware Attack on Kaseya Demanding $70M for Decryption Keys

REvil Ransomware Attack on Kaseya Demanding $70M for Decryption Keys

by

REvil Ransomware Kaseya

Kaseya Cyberattack Has Encrypted About 1,500 Client IT Systems

A cyberattack onKaseya Virtual System Administrator (VSA) has also impacted IT management companies and their clients. Kaseya VSA product was hit by an REvil ransomware attack on Friday, July 2. The supply-chain attack has also impacted Kaseya’s customers that use VSA for patch management and system monitoring.

“Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack. Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only,’ says the company’s public statement.

REvil ransomware, also known as Sodinokibi or Sodin ransomware is the same ransomware involved in the well-known ransomware attack on Colonial Pipeline in March. It was also used to attack Brown-Forman Corp the producer of Jack Daniels Whiskey.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are responding to the Kaseya ransomware attack and have issued guidance.

Kaseya VSA is a Remote Monitoring and Management (RMM) software. The company’s clients are managed service providers (MSP) that in turn manage IT systems for their own customers.

REvil Ransomware

REvil cybercriminals successfully exploited a zero-day flaw as well as other vulnerabilities in to compromised Kaseya’s remote monitoring system, VSA.

Kaseya confirms that 60 of its customers that are using the VSA on-premises product were also compromised by this attack. However, those customers have clients of their own, bringing the total number of impacted companies to about 1,500.

REVil claims that over one million IT systems have been impacted. REvil operates as a ransomware-as-a-service model meaning attackers can use the malware and pay a percentage of the ransomware.

REvil Ransomare Kaseya VSA
REvil Post – Image Credit: Bleeping Computer

The attackers struck on the eve of a major holiday in the United States. This is a common tactic for cybercriminals to maximize impact and demand massive ransoms. Weekends and holidays are often a period where IT staff is at its lowest.

Kaseya VSA is an IT management software vendor that provides remote monitoring and management services to its clients. Part of its services includes automated patch management.

Kaseya says it has 36,000 customers. Its SaaS customers were not compromised.

The company has released a ransomware detection tool that can be downloaded here.

The statement from Kaseya warns all customers to be vigilant a future email phishing attacks. Cybercriminals often phish customers using fake warnings and situation updates in attempts to trick employees into clicking on harmful links or visit malicious websites.

These spoofed links or websites are crafted to look like legitimate corporate communications. However, they contain harmful computer coding that can launch more malware attacks or steal login credentials.

Kaseya Ransomware Attack – What to Do?

CISA and the FBI have issued guidance on how to protect networks from the Revil attacks.

  • Enable and enforce multi-factor authentication (MFA) on every account
  • Get up-to-date backups
  • Store backups in a location that is not connected to network (air gap)
  • Use the Principal of Principle of least privilege

Read the full guidance here

About Michelle Dvorak

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers